Posted
by
Unknown Lameron Wednesday April 25, 2012 @11:44AM
from the steal-me-up-some-electricity dept.

FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit."
The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.

Okay, this feature has its use. Let's say Beardo works for the city for 15 years and puts a password on all the light controllers. That's only sane, right? You don't want some asshole changing the light pattern so they get a green light every morning at 7:43 when they're on their way to work or disabling the first-responder receiver.

Let's also assume that Beardo got passed over for a raise AGAIN and decided, "okay, that's it, I'm leaving." Five years later they have to change the timing for some reason, let's say more traffic at the intersection or something, and Beardo is nowhere to be found. He's got a new job in Bermuda and you'll never hear from him again. (I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.)

Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

You've got to either find the password or send the unit back to the factory to get it reset to the blank factory default (automation direct will do this) People forget passwords. I'm sure once we switch to biometrics people will forget their thumbs or something.

HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of wetwork. Well, then I guess the exploit then becomes "anyone with $175 to buy a NRD-1298 from Rugged can run a Perl script". Even if there was a master password list in the factory then someone could break in or bribe their way into the system. Maybe this password should only work on a direct link like the serial port.

What I guess the company could have done is add the PO number or customer number to the MAC address and then use a more robust password generator to figure it out. I'm not entirely sure what they could do to make it a secure way of getting into your legitimately owned, but inadvertently locked, machine.

Hell, if you get two keys for a master-locked system you can narrow down the master key to one of 17 possibilities. We don't go around telling people that their doors aren't going to work.

Also, I hate to mention this, but I've said it before, the military uses weaponry to enforce their system security. If you're sitting on a rowboat with a parabolic dish, the frigate is going to shoot bullets at you.

Nice over-architected solution. Sorry you took so long to type out such an insanely complex impossible to implement solution. Maybe RuggedCom has a job for you!

Alternate option: Simply make a bootrom option such that someone at the console during a power cycle can bypass the authentication. Cisco implemented this. It's not hard. No magic calculations, PO numbers, customer numbers.

A password generated using an externally visible attribute of the device is pure incompetence and making stupid decisions.

This isn't about Beardo going away and losing the password, it's about someone making one of those shockingly stupid decisions about convenience over security which leads to security through obscurity.

As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.

What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of network.

Or, you could do what every $35 Internet router in the history of Best Buy does: put a little 5-cent button on the back of the device that restores its default settings (or bypasses the password check, or whatever).

Have the master password database at the manufacturer strongly encrypted, then have the password for that database on a couple of smartcards (one for use in recovery, one held elsewhere as a backup in case the first is rendered unusable). The database is only at risk if the smartcard's contents are intercepted by malware on that machine, up to (but not beyond) the point where the database is re-encrypted under a new key. If the machine is properly secured, the risk of this is close to zero.

Maybe it IS a feature, so they hate to have to remove that. Don't rumors about NSA backdoors surface every now and then?Not implementing a likely trivial patch to a gaping security hole hasn't many other credible explanations.

There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".

Indeed. But the concept of "degree" is something beyond quite a few people. For them it is always black and white. Stupid really, but widespread. If the world were black and white, there would be zero point in risk management. Instead it is one of the most important supporting disciplines for technology. And one quite a few people do not get at all.

Especially those things with a factory supplied backdoor. Regardless of the complexity of the password, regardless of how the marketing guys try to spin it as a "maintenance portal" or whatever they are calling it (assuming of course customers knew it was there), such a thing is essentially a backdoor.

Hopefully this was something that customers were aware of and something that customers could disable. Or more optimistically a debugging feature customers would have to enable for a session while in direct communication with the factory. Even so a hypothetically generate-able password is troubling.

Before someone mistakes you for a troll, I guess I'd better link to an explanation [cnet.com]. 14 years ago, somebody at Microsoft left a dangerous backdoor in Frontpage 98, with the phrase "Netscape engineers are weenies!" as the key. People were fired over this, and so should the persons responsible for the SNAFU at Rugged.

It is acceptable in exactly one scenario: A physically secured access port. But in all others, it is cheap and convenient. Quote stupid, really. My guess is that the people designing these things just have zero imagination and never expected their systems to come under attack.

My guess is that the people designing these things just have zero imagination and never expected their systems to come under attack.

A company called RuggedCom. That makes military equipment. That had the foresight to install user accounts and passwords in the first place.

What usually happens in these situations is that someone clever implements the security properly and them some idiot creates a backdoor for convenience. Say the technicians got annoyed by having to find out the admin username/password for every device they needed to work on so demanded a backdoor, or a random PHB just kept forgetting his password and looked like a dick

They are probably (rightly) paranoid that reporting security defects like this will make them liable for criminal prosecution, and would prefer to remain anonymous. It's not like it hasn't happened before.

Using this device would mean you would fail PCI-DSS and probably a few other widely used standards (ISO-27001 for example). One of the first requirements in these standards is that default vendor passwords be changed. You can't change it or even disable it.

From what I have seen, the PCI audit company would pass you anyway or the company would find another that would pass them. This is the main problem with PCI. As the entity that is being certified pays for the service they choose an auditor that will pass them. The correct way to do it would be if the industry paid for this service.

The credit card industry itself. Meaning that to get to PCI compliance certified you and all others who are certified would pay into a pool that pays the auditors to audit, with randomly assigned auditors and the same payment pass or fail. These auditors would then take some sort of financial risk if you were to fail a future audit.

There is no real incentive for the CC companies to make audit compliance difficult. Remember that when a charge-back happens the seller pays.

Really the financial to do a good job and really be PCI compliant already falls on the merchant. For the most part PCI standards make sense. If you as business don't implement PCI properly and then find some rubber stamp audit firm to sign off its disservice to yourself. Just ask Sony; I bet they wish they'd have taken PCI more seriously!

If you pass a PCI audit, and then get credit card data stolen because of an uncompliant practice that the auditors missed, then you're fracked (i.e., fully liable) anyway. THAT is the point of PCI - to ensure that the industry pays for nothing, and both compliance costs and fraud costs are on your (merchant) shoulders.

You wouldn't even get a refund from the auditors for not checking most basic things, they tend to have their legal homework done perfectly even if they are sloppy in the

Their failure to patch this in a year - or even enter into any meaningful dialogue - is indicative of a company with no effective management. Is it wrong to hope some script kiddies now run riot and permanently damage the brand. Probably but meh.

Security certifications are pretty useless and have no significant impact on actual security. Sad but true. The only reasons why these certifications are so in demand is that the serve as CYA for now. I hope that goes away and vendors become liable if their devices are insecure, regardless of certification and with only sound practices, competent personnel, sound architecture, design, implementation and external _competent_ review limiting their liability.

Or brought it about. Unless you're really good at reading tea-leaves, you cannot possibly know what the probability of a nuclear confrontation with Iran is now versus what it would have been. So far, every country on the US' naughty list that has lacked WMD has been attacked and those on the list that have had WMD have not been attacked. If Stuxnet was indeed an attack, then Iran has recent experience of the former, which lends itself to the idea that it might prefer to be in the latter group.

Because for every instance of terrorism that the FBI/CIA/Mossad/Pentagon stops there are dozens (hundreds?) of instances of industrial espionage carried out. No one in their right mind would ever install Siemens hardware or software in their plant again if they suspected that there was a back door built in for their US competitors to sniff around through.

Looks like to exploit this, you need the MAC addrs.1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?3) If you manage to somehow own a plain ole PC on a scada network, now you can own embedded control devices. But having an owned PC on your network means you're dead anyway.

I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

Or in other words 25 bits. This will unfortunately not stop marketing-math from claiming 24 bit space + another 24 bit space = 48 bits.

This easy violation of #1 above Still requires epic fail of #2 and/or #3 above to be applied, and if you have failed #2 or #3 you don't need to brute force anyway.

Because you need telnet access to haxor the thing, and the telnet MOTD supposedly tells you the MAC, I have absolutely no idea why you'd brute force the thing instead of just a simple expect script and a regex on

Also, don't forget that the first couple of those bytes are specific to a vendor, and in RuggedCom's case those would be "000ADC". So that leaves only 2^24 possible MACs from which to generate passwords to try, a search space which could then be further reduced by the need to be able to actually type the password in.

Barring rate limiting, or other protection mechanisms (unlikely on a SCADA device) I'd estimate that a brute force attack on a 100mb/s link is going to be done and dusted in a matter of minutes rather than hours or days.

Are you sure you don't mean sweep for every possible IP? In case of a private network, that would be 16 million addresses (1.6 * 10^7) which is a lot less than 2.81 * 10^14. Unless it filters MAC addresses somehow, exhausting the entire range would require going through 2.81 * 10^14 addresses. If that were possible using just 1 bit of traffic per address, it'd still take 2.81 * 10^14 / 10^7 (10Mbps) = 2.81 * 10^7 seconds which is just over 325 days.

1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

I walk up to you, don't recognize you as an employee so I figure you're a tech from one of our vendors. I start hinting around for toys and freebies.

2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?

From TFA - the MAC is displayed in the MOTD.

As for telnet - you don't need telnet through the firewall. You just need something on the other side of the firewall, like say, an infected

I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

Directly no, but that is not really the issue at all. The way to win in security is consistency, consistency, and consistency. You do the right things every time, every where you know of in hopes that it might save in the places you don't.

I have seen command and control shell codes that look enough like plain Jane http to not get flaged by most ids, and the target is not in everyones URL filters yet that is getting past the firewall and over the proxy. Couple that with a little social engineering and som

That's very interesting. What other standard safety measures do you find useless? Have you short circuited all the circuit breakers in your house? Remove the safety railing next to your stairs? Cut the seat belts out of your car? Thrown away the life jackets on your boat?

yes, yes, no (it never came with them), and I wish I had a boat...(kidding of course, it is absurd how people rely on one thing to protect them and assume it will never fail.)

This reminds me of the periodic epic haxor discovery that if you have physical access to a cisco router and know the "config register hack" then you can pown any router. Its one of those "duh" moments where if you don't have physical security, then you have no security at all.

Perhaps. With power control systems and traffic systems using this stuff it's also possible that I may have a power outage at my office and a *very* quick trip home, where all the lights my way are green. Possibly.

It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside.
Why is that even news?

It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside.

Why is that even news?

Because morons DO allow access (physical and Internet) to these "secure" areas.

Look up the term "defense in depth." You do not stop at establishing perimeter security, an appropriate security architecture involves many layers of security thus ensuring you aren't screwed if someone decides to install a DSL line in the plant. Or a cellular modem connected to the serial port of this device in an electric substation. Or in case Bob the IT genius decides to punch a telnet hole through the firewall to make remote admin easier.

Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work. So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware.
In an industrial plant not every button or any pressure valve control needs a password. In fact I say the must not have one.

Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work.

The devices don't need individual passwords, they need individual keys. Passwords are not keys. And deriving secure unique keys from a master key is a solved problem. You can use master key injection systems (like DUKPT). Or you can have the devices automatically create them when they are introduced to the network (like Z-Wave).

So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware.

Role based authority is also a way to ensure that the right people have the necessary access. You never give them the raw keys, you give them an access mechanism that uses the keys

I am all for defense in depth, but to be honest this equipment is usually in place because of known limitations in lower layers. There is only one higher layer on most systems, and there are plenty of attack vectors that would bypass this. I am not a network engineer, but I really can't come up with ways to make a functional SCADA system if you can't trust VLAN level security at some point in the system for compartmentalization of systems.

The obvious correct hardware design was a simple switch (on the device) that allows usage of a default password. That way, you ensure both that you can put maintenance to the device in the future, whilst maintaining daily security.

You would soon find corporate procedure revised to require the switch to be always on because it saves $100k+ in downtime costs when the vendor pushes two updates in a month. You also have to make the switch prevent SCADA output and signal failure if left on.

I don't think you're understanding what the other poster proposed: a well designed system, like they said, would have a user-modifiable root password (that you can set to whatever and change according to your password guidelines) *AND* a hardware switch that allows a default password to be used instead (so that if you lose your root password you can fix things without having major downtime).

The other poster's addition of flipping the switch = the device does not work (save for maybe a "change the password"